CVE-2026-11317

Vulnerability

A denial of service vulnerability exists in Rockwell Automation CompactLogix® 5370, Compact GuardLogix® 5370, ControlLogix® 5570, and GuardLogix® 5570 controllers [1]. The issue stems from a fault triggered when a crafted CIP (Common Industrial Protocol) message is sent to the device [1]. Affected firmware versions are those prior to 34.016, versions prior to 35.015, and versions prior to 36.012 [1]. Devices with less memory are more likely to be affected [1]. The underlying weakness is classified as CWE-404: Improper Resource Shutdown or Release [1].

Exploitation

An attacker must be able to send a specially crafted CIP message to an affected controller over the network [1]. No authentication is mentioned as a requirement, suggesting network access is sufficient. The crafted message triggers a fault that results in a major nonrecoverable fault (MNRF) [1]. The exact sequence is not detailed, but simply sending the malicious message is enough to cause the denial of service [1].

Impact

Successful exploitation causes a denial of service, specifically a major nonrecoverable fault (MNRF) on the controller [1]. The device becomes inoperable and a program download is required to recover [1]. This disrupts control operations in industrial environments, potentially halting manufacturing processes or safety functions. The CVSS 3.1 base score is 7.5 (High), and the CVSS 4.0 base score is 8.7 (High) [1].

Mitigation

Rockwell Automation has released corrected firmware versions: Version 34.016 and later, version 35.015 and later, version 36.012 and later, and version 37.011 and later [1]. Affected customers should upgrade to these versions. As a workaround, customers who cannot upgrade should follow Rockwell Automation’s security best practices [1]. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the advisory publication [1].